GDPR at DO

All DigitalOcean services comply with GDPR provisions. Not only is the GDPR an important step in protecting the fundamental right of privacy for European citizens, it has raised the bar for data protection, security and compliance in the industry.

Overview

The European Union's General Data Protection Regulation (“GDPR”) is a comprehensive privacy and security law that establishes a framework for protecting the personal data of individuals within the European Economic Area (“EEA”). The regulation applies to any organization, regardless of its physical location, that processes the personal data or offers services to individuals within the EEA. GDPR aims to provide individuals with greater control over their personal data, enforce transparency in data processing, and ensure that organizations implement stringent technical and organizational measures to safeguard privacy.

DigitalOcean’s Support of GDPR and Data Privacy

DigitalOcean provides security, privacy, and data management features intended to support customers with their internal GDPR compliance and assessment efforts. The information in this section describes certain capabilities, tools, and transparency resources available through the Company’s services and is provided for informational purposes only. These features do not constitute a representation or guarantee of GDPR compliance.

Privacy and Data Governance

  • DigitalOcean (“we”) holds a Global PRP certification to evidence the strength of our “appropriate technical and organizational measures,” including; but, not limited to logical access, encryption, breach notification, and data minimization.
  • Our robust commitments to privacy, data protection, and security protections as a subprocessor in providing our Services are set forth in our Data Processing Agreement (“DPA”).
  • Customers may use DigitalOcean’s API and customer management tools to assist customers in responding to data subject access requests (“DSARs”) related to the personal data they host on our platform.
    • Self-service tools within the DigitalOcean Control Panel allow customers to access, rectify, or delete their account data in response to a data subject request it receives.
  • To facilitate the lawful transfer of personal data from the EEA to the United States as a process for our customers, we utilize Standard Contractual Clauses (SCCs), which are set forth within our DPA.
  • We have an established process to complete privacy reviews in our business operations, including in product development activities, and perform reviews as required.
  • We maintain a Subprocessor List regarding core infrastructure subprocessors, as well as subprocess for add-on Services that customers may optionally select to use.

Security Controls

  • We support customers’ data sovereignty rights by offering data centers in Amsterdam, Frankfurt, and London.
  • We maintain logical access policies and procedures to limit access to systems processing personal data so such access is restricted to authorized personnel based on the principle of least privilege.
  • We utilize industry-standard encryption protocols (e.g., TLS) to protect data in transit and implement encryption at rest for various storage services.
  • We perform regular security assessments, including vulnerability scanning and penetration testing, to identify and mitigate risks to the processing environment.

Outsourcing & Third-Party Risk Management

  • We provide DigitalOcean and data center provider certifications to customers through our Trust Center.
  • We conduct security and privacy reviews of all third-party vendors and subprocessors as part of our onboarding and annual review processes.
  • We require that all vendors processing personal data are contractually bound to data protection standards at least as stringent as those required by the GDPR.

DigitalOcean Service Customer Controls and GDPR Compliance Considerations

Customers are responsible for evaluating whether the services they deploy are configured and governed in a manner appropriate for their specific GDPR compliance obligations. Customers may access additional information and supporting documentation to assist in their evaluation:

Data Residency

Customers are responsible for selecting the data center location that best meets their compliance needs when they open their accounts.

Consumer Request Fulfillment

Customers can use DigitalOcean’s API and management tools to retrieve or delete data in response to applicable data subject access requests the customer may receive.

Individual Developers

Developers using DigitalOcean services to process EU personal data are responsible for developing their own compliance programs to account for in-scope legislation (e.g., GDPR).

Transparency

Customers can share DigitalOcean’s published DPA with their own clients to generally inform them of the security measures committed to by DigitalOcean.

Security of the Application

While DigitalOcean secures the underlying infrastructure, customers are responsible for the security of the applications they build, including the implementation of “Privacy by Design” and “Privacy by Default.”

Start building today

From GPU-powered inference and Kubernetes to managed databases and storage, get everything you need to build, scale, and deploy intelligent applications.